DE

Cybersecurity
Cyber Hygiene for Politicians: An Essential Protection in the Digital Age

Patricia Egger from Proton provides insights into what measures politicians should take to protect themselves effectively in the digital world.
Gipfel der Interparlamentary Alliance on China (IPAC)

Patricia Egger, Head of Security at Proton, speaks at the IPAC Summit 2024 in Taipei about cyber risks in political institutions.

© IPAC

It is not surprising that cybersecurity was a major topic at this year’s Interparliamentary Alliance on China (IPAC) summit. The coalition of parliamentarians ctitical of the Chinese government had itself become target of a cyberattack. In March 2024, the hacker group APT31, which is said to have ties to the Chinese government, sent over 1,000 phishing emails to IPAC members. Since then, the association has advocated for urgent improvements in cybersecurity support for politicians and strengthening institutional resilience against cyberattacks. Patricia Egger, Head of Security at Proton, spoke at the IPAC Summit about encryption and cybersecurity for politicians, making it clear that the situation is serious.

"18 percent of all cyberattacks target governments and politicians," emphasizes Patricia Egger.

Cyberattacks on political institutions will generally leverage malware or the abuse of legitimate access to reach their objectives. The end goal being to spy on their victims, steal sensitive data, or even disrupt internal processes. Especially in the election year 2024, with numerous upcoming elections, it is crucial that politicians protect themselves. After all, nothing less than the credibility of democratic processes is at stake.

So how can politicians act to minimize security risks? Patricia Egger has provided us with guidance.

Separation of Private and Professional Activities

First, Egger recommends separating private and professional activities and devices, as much as possible. This reduces the risk of security vulnerabilities from someone's private sphere affecting their professional sphere. In addition, professional devices and systems should be controlled and monitored by dedicated professionals and therefore generally have a higher level of security than the personal counterparts. Additionally, official email accounts should be avoided for third-party applications that are not related to one's professional responsibilities. Egger refers to a study published by Proton in collaboration with Constella Intelligence in May 2024. It shows that email addresses and other sensitive information of 44 percent of all Members of the European Parliament are findable in data leaks on the dark web.

At first glance, the publication of email addresses may seem harmless. However, the fact that these addresses are found in dark web databases indicates that official email accounts were used to create profiles on platforms such as LinkedIn or Adobe, which later fell victim to data breaches. Particularly concerning is that passwords for some of these accounts have also appeared on the dark web. If politicians reused the same passwords for their government accounts, unauthorized access to a government system could be achieved. These results highlight serious concerns regarding cybersecurity practices in politics, as even a single leak can pose a serious threat to national security.

Strong passwords: The foundation of Good Cyber Hygiene

Patricia Egger emphasizes that good cyber hygiene involves using strong credentials (e.g., passwords) that are unique to each account. Multi-factor authentication (MFA) is also crucial, as it prevents direct access even if a password is compromised. To manage complex passwords and ensure they are not reused, the use of a password manager is recommended. These tools help generate, store, and automatically fill in secure passwords, allowing individuals to use passwords that are a lot more secure than if they needed to remember them. 

End-to-End Encryption

Egger recommends using applications that offer end-to-end encryption, such as the email service ProtonMail and the messaging app Signal. This encryption technology ensures that only the communication partners have access to the messages. For example, if Gmail, which does not provide end-to-end encryption, is hacked, user email data could theoretically be leaked. With an encrypted service, this would not be possible, as the messages are only readable by the sender and the reciever. Even the service provider cannot access them.

Apps on Government Devices: The Blacklist and Whitelist Approaches

What is Egger’s opinion on the bans on TikTok or Kaspersky on government devices in the USA? “Every installed program increases the attack surface.” Therefore, the installation of applications should be limited as much as possible. She notes that there are two different approaches to managing applications installed on devices: blacklists and whitelists. “On government devices, nothing should be installed that is not necessary for work. The blacklist approach blocks specific apps like TikTok. This approach is fundamentally flawed, as new apps are constantly emerging and lesser known applications may be just as risky, although they have get less attention. Where security is more important than convenience, we should use the whitelist approach and only allow applications that are essential for work.” Additionally, the access of applications to device data such as photos or the microphone should be restricted. This provides effective protection in case these apps are hacked or contain malware.

Protection Against Spyware: Measures Against Pegasus and Co.

Spyware is an increasing concern, especially for politicians. For example, Pegasus targeted Emmanuel Macron’s device. Egger emphasizes that while there are measures to reduce the risk from spyware like Pegasus, complete immunity is not possible. She explains:

“Spyware like Pegasus is highly targeted and quite sophisticated". The origin of such an infection can come from a so-called zero-click attack, where the device is infected without the user opening a link, such as through a text message. If you receive a suspicious SMS from an unknown number, you should report it, block the sender, and reboot the affected device.

Cyber Hygiene: A Key Competence in Public Service

Whether it's the attack by APT31 on IPAC or the recent attack on the CDU before the European elections, there are numerous examples highlighting the tense threat landscape. Patricia Egger’s insights make it unmistakably clear that mastering the art of digital risk management is no longer optional for those in public office—it's a critical necessity. As she points out, no security measure is infallible, but layering defenses makes it exponentially harder for attackers to succeed. The goal should be to make the attackers job as difficult as possible, particularly when the stakes involve the integrity of democratic processes.